Guide to Network Auditing and Compliance

Getting and staying compliant requires IT organizations to follow a few best practices.

Learn regulatory requirements: Compliance becomes overwhelming for many IT shops because they don't have a clear understanding of what various regulations require. According to certified information security manager and independent IT security/SOX auditor Michael Kamens, when an IT shop seems stalled by too many controls, IT executives "can reduce these by having an educated understanding of what the actual law asks for."

Conduct a network pre-assessment: To become compliant, IT organizations must first know their compliance profile. IT executives must review IT infrastructure, application architecture, policies, procedures and processes, and overall network design.

Standardize policies and processes across IT domains: While many GRC efforts start in one domain, IT organizations going forward need to design compliance efforts to address an entire IT and business environment. "Organizations are beginning to define their organizational structures, business processes and technology architectures to implement an infrastructure that effectively defines, manages and monitors GRC," Forrester Research reports. "Often this endeavor starts with a single area of GRC and is aimed at moving to encompass other areas over time."

Educate IT and company users on compliance policies: No policy-based efforts can succeed without the user community understanding, accepting and practicing the policies. IT executives working toward compliance must conduct education and training exercises with both IT and corporate users to ensure they following the set of policies and procedures designed to keep a company compliant.

Monitor ongoing compliance: Once policies are established and systems are standardized in line with regulatory requirements, IT executives should invest in tools to monitor network and system access to prevent compliance creep. Such tools will help IT shops stay on top of actions taken in the environment or misconfigured network and system elements and remediate the problems before an audit.